VirtueMart Forum

VirtueMart Dev/Coding Central: VM1 (old version) => Virtuemart 1.1 Development (Archiv) => Quality & Testing VirtueMart 1.1.x => Topic started by: FavoriteU on April 29, 2008, 06:54:20 am

Title: Remove CVV2 from Customer E-Mail Receipt?
Post by: FavoriteU on April 29, 2008, 06:54:20 am
Storing CVV2 numbers is not compliant with PCI standards and likely a breech of all merchant accounts.  Even with "Store Credit Card Information" marked NO in the Configuration -> Security, the CVV2 code is still sent in the receipt e-mail to the customer.  It shouldn't be.  It should only be sent to the merchant services provider during actual card processing.

How can I remove the CVV2 code from the order e-mail receipt that is sent to the customer?

Thanks.

Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: FavoriteU on May 09, 2008, 21:36:34 pm
Quite a few people have read this thread but no one has responded.  Is this a bug?  Can it be disabled?  The only solution I have found thus far is to remove all billing information from the confirmation e-mail sent to the customer.  This is not preferred, but will have to do for now as storing or sending the CVV2 code is a violation of everyone's credit card agreement.

The e-mail template calls a script, the script doesn't seem to separate the fields, so I can't remove the CVV2 without messing up something else.  Could someone help with this?  That data is not supposed to be stored and should not be sent to the customer (or anyone else other than to your credit card processing gateway).

Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: willowtree on May 10, 2008, 14:29:07 pm
if you're using a gateway there should be no need to store any cc data?

which payment method are you using?
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: FavoriteU on May 10, 2008, 14:33:13 pm
I am using a gateway and I've told VirtueMart NOT to store CC data.  This is exactly my point.  It's not coming to me in the backend, but the customer's confirmation e-mail shows it.

Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: willowtree on May 10, 2008, 15:39:32 pm
in the vm admin, which payment method are you using?
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: FavoriteU on May 10, 2008, 16:44:26 pm
Credit Card (AN - ps_authorize)

Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: willowtree on May 10, 2008, 17:44:39 pm
In that case i'm moving this post into the quality and testing for 1.1 forum as it seems to be an issue with 1.1 that should be resolved.
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: FavoriteU on May 10, 2008, 18:16:08 pm
Thanks for your help.  Again I don't see it anywhere but the confirmation e-mail.  So I ended up removing ALL billing info from the confirmation e-mail until I get it resolved.  Better to send nothing at all than to send too much in this case.
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: FavoriteU on May 28, 2008, 22:51:15 pm
There hasn't been any update to this since Willowtree moved this post to the "Quality & Testing" forum.  Are there plans to adjust this, or at least tell us how to do it ourselves?  It is my believe this should be considered a bug as it is a security issue.  Please provide some kind of update.

Thanks.
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: Peter on July 06, 2008, 23:19:16 pm
This is a serious security issue for clients. A payment module called Offline Credit Card(OCC) by deneb (http://forum.virtuemart.net/index.php?topic=14955.0 (http://forum.virtuemart.net/index.php?topic=14955.0))worked really good in virtuemart ver 1.0.1 but it does not work correctly in ver 1.1
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: katandmouse on September 23, 2008, 21:10:40 pm
Yes this is very serious! We just had a customer tell us this was illegal. Virtuemart developers can you please come up with a quick solution, or please tell us what file this is in so we can remove it ourselves. Thanks.
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: skyline on October 10, 2008, 01:37:49 am
This is not up to PCI Compliance that's for sure.

Sorry I don't have 1.1 but I did post a "how to" about not storing this info for 1.0.15.

Probably very similar to 1.1

http://forum.virtuemart.net/index.php?topic=46725.0 (http://forum.virtuemart.net/index.php?topic=46725.0)

HTH
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: losmarinos3 on March 05, 2011, 00:47:24 am
Has there been an answer to this problem. It is such an important issue, and I can not find the answer on this Forum
I just had a customer threatening to Sue me. The I would have to counter Sue Virtuemart
Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: zanardi on March 05, 2011, 11:01:38 am
@losmarinos3:
I don't know from what alien world do you come from, proposing to sue an open source and free (as in beer) project for a missing feature, instead of just paying a developer 15 minutes of work to fix this.

That said, the fix to avoid CVV being sent via e-mail is this.

In ps_checkout.php, line 1907-1909 (on VM 1.1.7) are these:

Code: [Select]
if( !empty($_SESSION['ccdata']['credit_card_code'])) {
$payment_info_details .= 'CVV code: '.$_SESSION['ccdata']['credit_card_code'].'<br />';
}

Just comment or delete these lines.

Please note that in different versions of Virtuemart line numbers can change.

Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: losmarinos3 on March 05, 2011, 15:08:05 pm
Thank you Francesco,
I was a bit worried after a Customer threaten to Sue me, Sorry for going overboard about it.
Re these lines you are suggesting to delete, Why would the standard Product not come as defaulted to that state.? ie CVV" and expiry date removed from System out going Customer emails

Title: Re: Remove CVV2 from Customer E-Mail Receipt?
Post by: zanardi on March 05, 2011, 17:51:51 pm
Re these lines you are suggesting to delete, Why would the standard Product not come as defaulted to that state.? ie CVV" and expiry date removed from System out going Customer emails

I can't say for sure. VirtueMart has a long history and i am only part of it since less than a year. I can announce they will be removed by default in the upcoming 1.1.8 version (which will hopefully be released in a few weeks).